Summary

The MErc20DelegateMadFixer contract contains a critical vulnerability due to the absence of a zero-address check for the sweeper parameter in the sweepAll function. This vulnerability allows the admin to sweep all underlying tokens by providing a zero address as the sweeper argument, potentially leading to loss of funds.

Vulnerability Details

The vulnerable function sweepAll in the MErc20DelegateMadFixer contract allows any address to be designated as the sweeper without any validation checks. Consequently, if the zero address (0x0000000000000000000000000000000000000000) is provided as the sweeper, the function will still execute, enabling the admin to transfer all underlying tokens to the zero address.

Impact

The impact of this vulnerability could be severe. The admin can drain the entire balance of underlying tokens held by the contract, resulting in a loss of funds for the contract owner and users who have deposited their assets into the contract.

Tools Used

Manual Review

Recommendations

To mitigate the vulnerability, it is recommended to add a zero-address check in the sweepAll function before executing the token transfer. This check should ensure that the sweeper address provided is not the zero address.